Email breach chronicles: The NotPetya catastrophe - global havoc in 2017

NotPetya was a highly destructive ransomware attack that occurred in 2017. Originating in Ukraine, it quickly spread globally, affecting organizations in over 65 countries. NotPetya employed advanced techniques, including the EternalBlue exploit and the Windows SMBv1 vulnerability, to rapidly propagate within networks.

Unlike traditional ransomware attacks, its primary goal was not financial gain but widespread disruption and damage. By encrypting files and modifying the Master Boot Record, it rendered systems inoperable and caused significant financial losses and reputational damage to targeted organizations. NotPetya highlighted the growing threat of destructive ransomware and the need for robust cybersecurity measures to defend against such attacks.

In this article, we'll delve into the depths of the NotPetya cyberattack and unravel its origins, methods, and unprecedented global impact. Furthermore, we'll examine the crucial lessons learned from this destructive event and explore how robust cybersecurity measures can fortify our defenses against such devastating attacks in the future.

Timeline

• June 27, 2017: The NotPetya attack begins in Ukraine. The initial infection is traced back to a compromised software update for accounting software widely used in the country.
• Within hours: NotPetya spreads rapidly through Ukraine's networks, infecting government agencies, banks, power companies, and critical infrastructure.
• International spread: NotPetya quickly crosses international borders, affecting organizations in various countries, including Russia, the United States, the United Kingdom, Germany, France, and many others.
• June 28-29, 2017: The attack gains significant media attention as organizations worldwide report being affected by NotPetya. Panic and confusion ensue as the full extent of the attack becomes apparent.
• July 1, 2017: The Ukrainian government and cybersecurity firms publicly attribute the attack to the Russian military.

Origin

NotPetya originated from a compromised software update for accounting software in Ukraine in 2017. The malware, disguised as a legitimate update, infiltrated organizations, spreading rapidly and causing widespread devastation worldwide.

Initial publication

The Ukrainian government released one of the first publications about the NotPetya attack. Ukrainian authorities, including the Cyber Police Department and the National Security and Defense Council, released statements and advisories to inform the public and organizations about the ongoing cyber assault.

Additionally, cybersecurity firms, such as ESET, Bitdefender, and Kaspersky Lab, also played a crucial role in publicizing the attack. Their researchers analyzed the malware, published detailed reports, and provided technical insights to aid in understanding the nature and implications of the NotPetya attack. 

Attack vectors

The attack vectors NotPetya used include the following:

• Compromised software updates: NotPetya was initially distributed through a compromised software update, tricking users into unknowingly installing the ransomware.
• Phishing emails: The ransomware also spreads through phishing emails containing malicious attachments. When users opened these attachments, NotPetya was executed.
• Compromised websites: Infected websites were used as a delivery mechanism, where unsuspecting users visiting these sites became victims of the attack.
• Vulnerability exploitation: NotPetya leveraged the EternalBlue exploit and the Windows SMBv1 vulnerability to gain unauthorized access to vulnerable systems and initiate the infection.

Vulnerability exploited

NotPetya leveraged the EternalBlue exploit and the Windows Server Message Block version 1 (SMBv1) vulnerability (CVE-2017-0144) to gain unauthorized access to vulnerable systems.

Perpetrators

The perpetrator(s) behind the NotPetya attack have been attributed to state-sponsored actors, specifically the Russian military. However, it's important to note that attribution in the cyber realm can be complex and challenging, often relying on technical indicators, analysis of attack patterns, and intelligence gathered by cybersecurity experts and intelligence agencies. 

Motive

The motive behind NotPetya was primarily geopolitical, with the attack primarily targeting organizations in Ukraine's critical infrastructure sectors. The objective was to disrupt and destabilize Ukraine, a country experiencing political tensions with Russia. Unlike typical ransomware attacks driven by financial gain, NotPetya aimed to sow chaos and exert influence rather than monetary extortion. 

Execution and methodology

The following methodologies were involved in the execution of the NotPetya attack: 

• Phishing and deceptive delivery: NotPetya initiated its attack through phishing emails containing malicious attachments. These emails were carefully crafted to deceive users into opening the attachments, which triggered the execution of the ransomware. The attackers also utilized compromised websites to deliver the malware, exploiting vulnerabilities in the visited websites to initiate the infection.
• Exploitation of vulnerabilities: NotPetya took advantage of vulnerabilities, including the EternalBlue exploit and the Windows SMBv1 vulnerability (CVE-2017-0144), to gain initial access to vulnerable systems. EternalBlue, a leaked exploit developed by the NSA, targeted a vulnerability in the Windows SMB protocol, allowing the ransomware to spread quickly across vulnerable networks.
• Lateral movement and network propagation: Once inside a network, NotPetya employed lateral movement techniques to move laterally and infect additional systems. It exploited weak security configurations, unpatched vulnerabilities, and stolen credentials to gain unauthorized access to other machines within the network. This allowed the ransomware to propagate rapidly and infect a large number of devices within organizations.
• File encryption and Master Boot Record modification: NotPetya utilized advanced encryption algorithms, such as AES-128, to encrypt files on infected systems, rendering them inaccessible without a decryption key. Simultaneously, it modified the Master Boot Record (MBR) of infected machines, preventing them from booting up properly and causing widespread disruption.

Incident detection

The detection of the NotPetya attack varied among organizations, but common indicators included:

• Systems becoming unresponsive or experiencing unusual behavior, such as file encryption or boot failures.
• Increased network traffic associated with lateral movement and communication with command-and-control servers.
• Suspicious file modifications, unusual authentication requests, and the presence of known NotPetya-related files and artifacts.
• Kaspersky Lab, among the first to identify and analyze NotPetya, conducted research on the malware samples and identified its similarities to a previous ransomware.

Impact

• Financial losses: The White House assessment estimated the total damages NotPetya caused to exceed $10 billion. It affected numerous organizations globally, leading to financial losses for companies such as Maersk Line, which reported between $200 million and $300 million in lost revenues. FedEx also experienced a business impact of approximately $400 million.
• Critical infrastructure disruptions: During the attack, Ukraine's Chernobyl Nuclear Power Plant's radiation monitoring system went offline, raising concerns about the safety of the facility. Ukrainian ministries, banks, and metro systems were also affected. NotPetya's impact on critical infrastructure showcased its potential to disrupt essential services.
• Destructive nature: NotPetya has been labeled the most destructive cyberattack ever. It targeted organizations worldwide, including multinational law firms, pharmaceutical companies like Merck & Co., and oil company Rosneft. Other affected entities included advertising agencies, construction companies, logistics providers, and healthcare systems.
• Geographical reach: The attack had a global reach, impacting companies and organizations in various countries. For example, British advertising company WPP, French construction company Saint-Gobain, and American hospital operator Heritage Valley Health System were among the affected entities.

Industry impact

The NotPetya attack had a significant impact on various industries, including:

• Shipping and logistics: Maersk, the world's largest container shipping company, experienced severe disruptions.
• Manufacturing: Companies like Merck & Co., Reckitt Benckiser, and Saint-Gobain reported production disruptions.
• Healthcare: Heritage Valley Health System and Princeton Community Hospital were affected, causing delays in patient care.
• Financial services: Notable impacts were observed on organizations such as American pharmaceutical company Merck & Co. and Russian oil company Rosneft.
• Energy and utilities: Ukraine's Chernobyl Nuclear Power Plant experienced disruptions in its radiation monitoring system.
• Government and public services: Ukrainian ministries, banks, and metro systems were affected, along with disruptions to critical infrastructure.
• Professional services: Multinational law firm DLA Piper reported disruptions in their operations.

Data breach

NotPetya was primarily a destructive ransomware attack rather than a data breach. Its main objective was to disrupt systems and cause financial damage rather than steal or extract data, but data loss occurred due to the encryption of files.

Mitigation

Mitigating the NotPetya attack required immediate actions and the implementation of specific measures:

• Shutting down infected computers: It was discovered that stopping the encryption process could be possible by promptly shutting down an infected computer when the fictitious chkdsk (check disk) screen appeared. This approach aimed to interrupt the malware's progress and prevent further damage.
• Creating read-only files: A security analyst proposed creating read-only files named perfc and/or perfc.dat in the Windows installation directory. This technique aimed to prevent the payload of the current strain of NotPetya from executing, potentially halting the ransomware's encryption process.
• Suspension of ransom payment confirmation: The email address listed on the ransom screen was suspended by its provider, Posteo, for violating its terms of use. Consequently, infected users were unable to send the required payment confirmation to the attackers. This limitation hindered the ransomware's intended revenue-generating mechanism.
• FAT file system recovery: If a computer's file system was based on FAT, the Master File Table (MFT) encryption sequence was skipped. Instead, only the ransomware's message was displayed. This allowed for a trivial data recovery process in such instances.
• Patching vulnerabilities: Microsoft had already released patches for supported versions of Windows in March 2017 to address the EternalBlue vulnerability, which NotPetya exploited. Additionally, patches were provided for unsupported versions of Windows (such as Windows XP) in May 2017, following the impact of the WannaCry ransomware. Promptly applying these patches was crucial to mitigating the risk of infection.
• Overcoming barriers to patching: Some organizations may have delayed patching due to concerns about downtime or compatibility issues. However, considering the potentially devastating consequences of ransomware attacks, it is essential for enterprises to prioritize the installation of updates and find suitable strategies to minimize disruption during the patching process.

Auditors and third parties

• Kaspersky Lab: Kaspersky Lab was one of the first entities to identify and analyze the NotPetya ransomware. Their researchers conducted in-depth analyses of the malware samples, identified its similarities to previous ransomware, and provided insights into the attack's behavior.
• Government agencies: Government agencies, such as law enforcement and national cybersecurity agencies, may have collaborated with auditors and forensic experts to investigate the attack. These agencies brought in-depth knowledge, resources, and legal authority to support the investigation and gather evidence.
• Cybersecurity consulting firms: Affected organizations may have engaged various cybersecurity consulting firms to conduct forensic analysis, identify attack vectors, and assess the impact of the NotPetya attack. These firms offered specialized expertise and methodologies in investigating cyber incidents.

Forensic analysis

Forensic analysis of the NotPetya attack played a crucial role in understanding the attack methodology, identifying its origin, and gathering evidence for further investigation. Key aspects of the technical and forensic analysis include:

• Malware analysis: Cybersecurity experts conducted an in-depth analysis of the NotPetya malware to understand its structure, functionality, and behavior. This involved reverse-engineering the code, analyzing its propagation mechanisms, and identifying the encryption algorithms used.
• Network traffic analysis: Investigators analyzed network traffic logs and captured packets to identify communication patterns, command-and-control servers, and lateral movement within the compromised network. This helped in understanding how the malware spread and communicated with its operators.
• System forensics: Forensic analysis of infected systems involved examining compromised files, registry entries, and system logs to determine the extent of the attack, the actions performed by the malware, and potential indicators of compromise.
• Memory forensics: Memory analysis was conducted to identify volatile artifacts the malware left, such as injected code, process hooks, and encryption keys. This provided valuable insights into the attack's execution and persistence mechanisms.
• Indicators of compromise: Investigators compiled a list of IOCs based on their analysis, including file hashes, registry keys, network signatures, and behavioral patterns associated with NotPetya. These IOCs were shared with the cybersecurity community to aid in detection and prevention.

Legal and regulatory implications

• Ukrainian government lawsuit: In 2017, the Ukrainian government accused Russia of being behind the NotPetya attack and filed a lawsuit against Russia in the International Court of Justice (ICJ). The lawsuit alleged that Russia violated international law by conducting cyber warfare against Ukraine.
• European Union response: Following the attack, the European Union (EU) declared its support for Ukraine and condemned the cyberattack. The EU, along with other international bodies, expressed concerns over the use of cyberattacks as a means of aggression and called for enhanced cybersecurity measures.
• Legal considerations: The NotPetya attack raised legal questions and discussions surrounding attribution, accountability, and state-sponsored cyber operations. It prompted debates about the adequacy of existing international laws and frameworks in addressing and deterring such cyber incidents.

Policy and legislative changes

Following the NotPetya attack, several policy and legislative changes were implemented globally:

• Enhanced cybersecurity regulations: Countries like the United States, as well as the European Union, introduced or strengthened cybersecurity regulations, such as the NIST Cybersecurity Framework and the EU Network and Information Security (NIS) Directive.
• Data protection and privacy laws: The General Data Protection Regulation (GDPR) was reinforced, imposing stricter obligations on organizations for handling personal data.
• International cooperation and information sharing: Countries and organizations increased collaboration and information sharing to improve collective defense against cyber threats.
• Cybersecurity incident response frameworks: Incident response frameworks were developed or updated to enhance preparedness and response capabilities.
• Cyber insurance and risk assessment: Organizations placed more emphasis on cyber insurance and risk assessment to mitigate potential losses.
• International norms and cybersecurity guidelines: Discussions on responsible state behavior in cyberspace were intensified, aiming to establish international norms and guidelines.

Insurance claims

• Mondelez International lawsuit: Mondelez International, a multinational food and beverage company, filed a lawsuit against its insurance carrier, Zurich American Insurance Company, in 2018. Mondelez sought a $100 million claim to cover the damages NotPetya caused. The insurer denied the claim, stating that the attack was an "act of war" and fell under the policy's exclusion clause.
• Insurance disputes: NotPetya raised significant disputes between insured organizations and their insurance providers. Many policies did not explicitly cover cyber incidents or had exclusions that could be invoked to deny coverage for losses resulting from a cyberattack.
• Cyber insurance policies: NotPetya's impact highlighted the importance of cyber insurance coverage for organizations. It led to increased scrutiny and awareness of the terms, conditions, and coverage limits in cyber insurance policies.
• Policy updates and changes: The NotPetya attack prompted insurance companies to reevaluate their policies and make changes to coverage options and exclusions related to cyber incidents. Insurers revised their underwriting practices and premium rates based on the lessons learned from NotPetya and other major cyberattacks.

Tools

Countless cybersecurity innovations, prevention tools, and remediation tools arose following the NotPetya attack.

Prevention tools

• Patch management solutions: Improved patch management tools and processes to ensure timely installation of software updates, addressing vulnerabilities exploited by malware like NotPetya.
• Network segmentation: Implementation of network segmentation strategies to isolate critical systems and limit lateral movement of malware within an organization's network.
• Email and web security: Enhanced email and web security solutions with advanced threat detection capabilities to identify and block malicious attachments, phishing attempts, and compromised websites.

Remediation tools

• Incident response platforms: Development of comprehensive incident response platforms that provide centralized visibility, automation, and orchestration of response activities to swiftly mitigate the impact of attacks.
• Backup and disaster recovery solutions: Improved backup and disaster recovery technologies to ensure reliable data backups and rapid restoration of systems and files affected by malware attacks.
• Forensic analysis tools: Advanced forensic analysis tools to conduct in-depth investigations and identify the root cause of the attack, aiding in incident response and strengthening defenses against future threats.

Cybersecurity innovations

• Advanced threat detection: Innovations in threat detection technologies, such as machine learning-based algorithms and behavior analytics, to identify and block sophisticated malware like NotPetya.
• Enhanced endpoint security: Development of advanced endpoint protection solutions that incorporate real-time monitoring, threat intelligence, and behavior-based analysis to detect and prevent malware infections.
• Security automation and orchestration: Automation of security processes and integration of security tools to streamline incident response and remediation efforts, reducing the impact of attacks like NotPetya.

Lessons learned for organizations

The NotPetya attack provided several important lessons for organizations and the cybersecurity community. Some of the key lessons learned include:

• The importance of patching: The attack highlighted the criticality of timely patching and software updates. Organizations learned about the necessity to promptly apply security patches to vulnerable systems and prioritize patch management as a fundamental cybersecurity practice.
• Robust backup and recovery: NotPetya demonstrated the significance of having robust backup and recovery mechanisms in place. Organizations realized the importance of regularly backing up critical data and systems, storing backups offline, and testing the restoration process to ensure effective recovery in the event of an attack.
• Network segmentation: The attack emphasized the need for network segmentation to limit the lateral movement of malware within an organization's infrastructure. By segmenting networks and restricting access based on user roles and privileges, organizations can contain the spread of malware and minimize the impact of an attack.
• Proactive threat intelligence: NotPetya underscored the importance of proactive threat intelligence and monitoring. Organizations learned the value of continuously monitoring their networks for suspicious activity, leveraging threat intelligence feeds, and staying informed about emerging threats to detect and respond to attacks in a timely manner.
• Incident response planning: The attack highlighted the importance of having a well-defined and regularly tested incident response plan. Organizations recognized the need to establish clear roles and responsibilities, define communication channels, and conduct tabletop exercises to ensure a coordinated and effective response to cyber incidents.
• Vendor and supply chain risk: NotPetya exposed the risks associated with third-party vendors and supply chain dependencies. Organizations realized the need to assess and manage the cybersecurity posture of their vendors, implement strict access controls, and conduct due diligence to minimize the risk of compromised software or systems entering their environment.
• Heightened cybersecurity awareness: The attack raised awareness among organizations and individuals about the potential impact of cyber threats. It served as a reminder to prioritize cybersecurity measures, educate employees about best practices, and foster a culture of security awareness throughout the organization.

This article is co-authored by Sandeep Kotla and Vignesh S.

Sandeep is an accomplished inbound marketer at Zoho Corporation, specializing in digital workplace strategies, digital transformation initiatives, and enhancing employee experiences. Previously, he handled analyst relations and corporate marketing for Manage Engine (a division of Zoho Corp) and its suite of IT management products. He currently spends most of his time re-imagining and writing about how work gets done in large organizations, reading numerous newsletters, and Marie Kondo-ing his inbox.

Vignesh works as a Marketing Analyst at Zoho Corporation, specializing in content initiatives and digital workplace strategies. He's a passionate creator with a penchant for marketing and growth. In his free time, you can see him shuffling between books, movies, music, sports, and traveling, not necessarily in the same order.